Greetings,
Throwing this out to the informed masses... What is the best way to recover passwords, logins, etc from machines where these items are not saved to the computer like the registry - but merely typed in and the person "hits enter.". I am guessing they are in RAM, but things like dd_img does not capture them (using a windows forensics toolkit approach). Based on the scenario, keyloggers are not an option because the deed is done by the time I find out about it - but I do have access to any machine immediately after the events (corporate environment). Much appreciated...

March 27th, 2006, 04:31 AM

gore

I made a batch file that does this for me on Windows 9X.

copy C:\WINDOWS\*.pwl a:

I popped that into a batch file on a floppy disk. Works great. this should give you at least a start.

March 27th, 2006, 04:03 PM

Synja

Gore... that was the most retarded answer you have ever given.

SASJohnson, you're not trying to get local logins? You are talking more like websites and whatnnot? Something where the hash is not stored locally?

March 27th, 2006, 05:13 PM

Tiger Shark

I second Synja with regard to Gore's comment.... *sigh*

You may find the passwords or thier hashes in the page file. You may also find them in the browser history as part of the url sent after the password has been entered. Hell, they may have even said "remember me" and you _might_ find them stored in cookies...

My question is though... Why do you need their password... If they went to hotmail to check thier personal email and that is against policy then you already have them by the short and curlies... There's no reason to see if they received any new email... Pummel them on the policy breach...

March 27th, 2006, 05:15 PM

gore

Lol What, it said passwords in RAM... Lol. Damn no one appreciates a good one anymore.

March 27th, 2006, 05:35 PM

preacherman481

"Based on the scenario, keyloggers are not an option because the deed is done by the time I find out about it - but I do have access to any machine immediately after the events (corporate environment)."

This sentence is not making sense to me. You can't use a keylogger "because the deed is done by the time I find out about it...," but then you go on to say, "but I do have access to any machine immediately after the events...." If you need to stop some illicit deed beforehand, how is any method someone could give you going to help you afterward?

March 27th, 2006, 05:37 PM

Nokia

Sounds like you are maybe trying to get sonmeones "network" logon password?

March 27th, 2006, 05:39 PM

Tiger Shark

Preacher:

Policy doesn't allow him to put keyloggers on his boxes but, through whatever means, he may discover activity that requires him to investigate it... Hence the after the fact investigation...

March 27th, 2006, 05:56 PM

gore

Quote:

Originally posted here by Nokia Sounds like you are maybe trying to get sonmeones "network" logon password?

That's why I toyed with him. But that got ruined by the no sense of humor duo.

March 27th, 2006, 06:27 PM

Synja

Quote:

That's why I toyed with him. But that got ruined by the no sense of humor duo.

I have a sense of humor. I just usually prefer jokes involving flatulence or boobies.